Ethereum staking protocol Lido Finance has assured investors and token holders that both Lido DAO (LDO) and staked-Ether (stETH) remain safe despite a known security flaw in the LDO’s token contract. This fly in the ointment was unveiled in a post by blockchain security firm SlowMist on September 10. The flaw reportedly springs from LDO’s token contract, which allows “fake deposit” attacks, a process by which malicious actors can make transactions even when they don’t possess sufficient funds, a deviation from the Ethereum Request for Comment 20 (ERC-20) token standard according to SlowMist.
However, Lido Finance counter arguing that the flaw is inherent within all ERC-20 tokens, not merely their LDO token. The firm acknowledged the loophole but assured that all LDO and stETH funds remained secure. They did not confirm, however, whether there were any exploited incidents.
The issue arises when the value of a transfer implemented by LDO’s token contract is larger than what the user owns, producing a false positive instead of halting the transaction. While SlowMist claimed that this capability was recently exploited, they failed to offer any tangible on-chain evidence.
To cope with the security breach, Lido has confirmed plans to update the LDO token integration guides very soon. While a remedial approach is being applied, concern still looms among token holders as SlowMist had recommended them to not only look out for the success or failure of a transaction but also the return values of the token contract transfers.
While tokens safety assurance is an inherent trait for blockchain, these flaws bring a bit of uncertainty and skepticism to the ecosystem. It’s a reminder and a lesson that comprehension and meticulous testing are needed before integrating any new tokens into the system. The underlying foundational assertions run deep inside the official Ethereum Improvement Proposal document, co-authored by Vitalik Buterin in November 2015, ensuring the necessity for “transfer” and “transferFrom” functions to return the transfer status, as this greatly helps in recognising and managing flaws.
On the one hand, new technology is always subject to vulnerabilities, and these can be turned into catalysts for improvement. On the other, whenever dealing with digital assets, it’s always crucial to remember that we are in many ways in uncharted waters and we must always be on high alert for possible security issues.
Source: Cointelegraph